Search form

Main menu

Do Not Track

Do Not Track is a mechanism for protecting online privacy that specifically addresses the challenge of pervasive online web tracking, especially as employed by behavioral advertisers using increasingly sophisticated tracking technologies. Do Not Track is unique in that it combines both technology (a signal transmitted from a user) as well as a policy framework for how companies that receive the signal should respond.

The Current State of Online Tracking

In recent years, an ecosystem of online tracking companies has begun to monitor our clicks, searches and reading habits as we move around the Internet. While technologists have been concerned about the privacy implications of such tracking for years, the Wall Street Journal's What They Know series brought widespread public attention to the issue by showcasing how marketers gather data on online users.

An HTTP cookie, originally invented by Lou Montulli and John Giannandrea at Netscape in 1994, is extremely useful for the web; cookies are the easiest way to offer "stateful" user interfaces such as user accounts and logins, multi-page forms, or online shopping carts. Cookies also allow sites to store a unique ID in your browser, and therefore to track you. So many people have learned to block, limit or delete their cookies.

Unfortunately, more recent technologies have brought the advent of cookie-like tracking systems that are harder for a user to detect or delete, and may well provide marketers with a rich source of data about an individual. Today, online tracking companies use supercookies and fingerprints to follow people who try to delete their cookies, and the leakage of user IDs from social networks and similar sites has often given them an easy way to identify the people they were tracking.

The pervasiveness of online tracking is a threat to the privacy of our online reading and communications. That's why technologists and policy makers have been devising ways to give users a choice about when they are tracked online. Do Not Track is a unique and powerful way of dealing with the problem of online tracking. It provides users with a voice - so they can tell companies whether or not they want to be tracked online.

Do Not Track – The Technology

Every time your computer sends or receives information over the Web, the request begins with some short pieces of information called headers. These headers include information like what browser you're using, what language your computer is set to, and other technical details. The Do Not Track proposal is to include a simple, machine-readable header indicating that you don't want to be tracked. The header that would be inserted is DNT:1. Because this signal is a header, and not a cookie, users will be able to clear their cookies at will without disrupting the functionality of the Do Not Track flag.

It’s important to note that there is no "list" that consumers need to sign up for. Early discussion of Do Not Track included proposals about a list-based registry of users, similar to the Do Not Call Registry. This proposal does not collect data on consumers in a central list. Read more about the history of Do Not Track.

Do Not Track – The Policy

The policy aspect of Do Not Track includes how recipients of the Do Not Track flag should respond, and the appropriate response from a regulatory body. While the technology of Do Not Track is simple, the policy framework is where the important work happens. We have blogged about what we believe the "track" in Do Not Track could mean.

The bigger question is, "what institutional process should be used for setting and updating this policy?". EFF has written comments to the FTC, Commerce Department, and the California State Senate expressing our views on the optimal regulatory framework for Do Not Track.

The best policy framework will need to strike a careful balance between protecting consumer privacy and safeguarding the rights of innovators. Do Not Track is designed specifically to address the issue of invisible third-party tracking, so EFF strongly supports limiting the scope of Do Not Track to those sites which are acting as third parties. See our letter to the California State Senate on this issue. We also believe that, given the failure of industry to effectively self-regulate, Congress may need to grant the Federal Trade Commission limited, carefully cabined authority to do rulemaking on how sites should interpret this signal.

Several consumer privacy bills have been introduced, each with a slightly different approach to dealing with online tracking. We’ll be following this debate as it continues on the Hill, and continuing to advocate for the rights of users to tell companies: Do Not Track Me.